Questions regarding partial policy load, and the future

Kees Cook kees.cook at canonical.com
Mon Jun 21 00:05:46 BST 2010 

Hi,

On Sun, Jun 20, 2010 at 08:04:23AM -0500, Jamie Strandboge wrote:
> On Sat, 2010-06-19 at 17:15 -0700, Seth Arnold wrote:
> > [Apologies to Jamie for the initial direct reply only to him.]
> > 
> > On Sat, Jun 19, 2010 at 1:55 PM, Jamie Strandboge <jamie at canonical.com> wrote:
> > > imagine the benefits of doing so now are not that great (ie, we install
> > > a new cups profile, and then do a '/etc/init.d/apparmor reload' -- with
> > > caching, the load of the cached profiles is nearly instantaneous so the
> > > user only really feels the compilation of the new policy, as opposed to
> > > before, when all the profiles were recompiled).
> > 
> > All profiles are recompiled with reload:
> > 
> > restart|reload|force-reload)
> >        log_daemon_msg "Reloading AppArmor profiles"
> >        securityfs
> >        clear_cache
> >        load_configured_profiles
> >        rc=$?
> >        ...
> > 
> 
> Ah so it is. I stand corrected. That said, we could reimplement one of
> restart or reload (or something else) to work as I thought it did. I see
> multiple possibilities for implementation and usage in packaging, but
> the basic idea is that we generate the cache file for the new/updated
> profile and then trigger a reload that loads the cache files rather then
> recompile all the profiles. AIUI, this would be the simulated individual
> policy load John mentioned initially.

The issue was that since caching isn't "finished" (no knowledge/checking of
abstractions is done), I opted for "least surprise" on a reload, and felt
it was safer to blow away the cache and regenerate.

The issue with split loads is to avoid long delays at boot on a cache miss.
Loading from cache is very fast, but when the kernel changes a reboot would
stall for 30 seconds while effectively 3 copies of the evince profile was
parsed, and this would stall everything else (since it was a serial
dependency).  So, now profiles are loaded as-needed directly with
apparmor_parser during early-boot.

-Kees

-- 
Kees Cook
Ubuntu Security Team

More information about the AppArmor mailing list